The flaw that "Firefoxed" Internet Explorer

A few days back there was immense furor over the zero-day vulnerability that used a potential handling of a FireFox URL protocol by IE to execute malicious JavaScript code. The flaw was triggered on a system with FireFox installed and IE used for browsing.

If someone using IE visits a Web page that tries to call a Firefox URL, the Microsoft browser will launch Firefox with no other prompting, passing it the URL. Neither browser, according to Mozilla, sanitizes the URL, which would allow an attacker to make Firefox execute malicious JavaScript code. The user would have to visit a maliciously crafted Web page or open a malicious e-mail. User interaction is required.

The flaw needed a certain degree of user-interaction (lockergnome) to be activated and the folks at Mozilla have patched the issue in their 2.0.0.5 browser release. What's deeply intriguing about the flaw is how it uses the interface among the applications (in this case IE and Mozilla) to launch an attack.

The flaw sparked a lot of sparring between executives of Mozilla and Microsoft (TechWorld), each blaming the other's API call for the flaw. Software makers can ensure a lot of security around their internal code, but when it comes to APIs they expose to third-party software, the usage is in the hands of the third party and may present vulnerable end points.

Bottom-line

Be wary of the software installed on the system that you use. Even unused software APIs can act as potential entry points for malware and trigger an exploit.